2 * linux/net/sunrpc/auth_unix.c
4 * UNIX-style authentication; no AUTH_SHORT support
6 * Copyright (C) 1996, Olaf Kirch <okir@monad.swb.de>
9 #include <linux/slab.h>
10 #include <linux/types.h>
11 #include <linux/sched.h>
12 #include <linux/module.h>
13 #include <linux/sunrpc/clnt.h>
14 #include <linux/sunrpc/auth.h>
15 #include <linux/user_namespace.h>
17 #define NFS_NGROUPS 16
20 struct rpc_cred uc_base
;
22 kgid_t uc_gids
[NFS_NGROUPS
];
24 #define uc_uid uc_base.cr_uid
26 #if IS_ENABLED(CONFIG_SUNRPC_DEBUG)
27 # define RPCDBG_FACILITY RPCDBG_AUTH
30 static struct rpc_auth unix_auth
;
31 static const struct rpc_credops unix_credops
;
33 static struct rpc_auth
*
34 unx_create(struct rpc_auth_create_args
*args
, struct rpc_clnt
*clnt
)
36 dprintk("RPC: creating UNIX authenticator for client %p\n",
38 atomic_inc(&unix_auth
.au_count
);
43 unx_destroy(struct rpc_auth
*auth
)
45 dprintk("RPC: destroying UNIX authenticator %p\n", auth
);
46 rpcauth_clear_credcache(auth
->au_credcache
);
50 unx_hash_cred(struct auth_cred
*acred
, unsigned int hashbits
)
52 return hash_64(from_kgid(&init_user_ns
, acred
->gid
) |
53 ((u64
)from_kuid(&init_user_ns
, acred
->uid
) <<
54 (sizeof(gid_t
) * 8)), hashbits
);
58 * Lookup AUTH_UNIX creds for current process
60 static struct rpc_cred
*
61 unx_lookup_cred(struct rpc_auth
*auth
, struct auth_cred
*acred
, int flags
)
63 return rpcauth_lookup_credcache(auth
, acred
, flags
, GFP_NOFS
);
66 static struct rpc_cred
*
67 unx_create_cred(struct rpc_auth
*auth
, struct auth_cred
*acred
, int flags
, gfp_t gfp
)
69 struct unx_cred
*cred
;
70 unsigned int groups
= 0;
73 dprintk("RPC: allocating UNIX cred for uid %d gid %d\n",
74 from_kuid(&init_user_ns
, acred
->uid
),
75 from_kgid(&init_user_ns
, acred
->gid
));
77 if (!(cred
= kmalloc(sizeof(*cred
), gfp
)))
78 return ERR_PTR(-ENOMEM
);
80 rpcauth_init_cred(&cred
->uc_base
, acred
, auth
, &unix_credops
);
81 cred
->uc_base
.cr_flags
= 1UL << RPCAUTH_CRED_UPTODATE
;
83 if (acred
->group_info
!= NULL
)
84 groups
= acred
->group_info
->ngroups
;
85 if (groups
> NFS_NGROUPS
)
88 cred
->uc_gid
= acred
->gid
;
89 for (i
= 0; i
< groups
; i
++)
90 cred
->uc_gids
[i
] = acred
->group_info
->gid
[i
];
92 cred
->uc_gids
[i
] = INVALID_GID
;
94 return &cred
->uc_base
;
98 unx_free_cred(struct unx_cred
*unx_cred
)
100 dprintk("RPC: unx_free_cred %p\n", unx_cred
);
105 unx_free_cred_callback(struct rcu_head
*head
)
107 struct unx_cred
*unx_cred
= container_of(head
, struct unx_cred
, uc_base
.cr_rcu
);
108 unx_free_cred(unx_cred
);
112 unx_destroy_cred(struct rpc_cred
*cred
)
114 call_rcu(&cred
->cr_rcu
, unx_free_cred_callback
);
118 * Match credentials against current process creds.
119 * The root_override argument takes care of cases where the caller may
120 * request root creds (e.g. for NFS swapping).
123 unx_match(struct auth_cred
*acred
, struct rpc_cred
*rcred
, int flags
)
125 struct unx_cred
*cred
= container_of(rcred
, struct unx_cred
, uc_base
);
126 unsigned int groups
= 0;
130 if (!uid_eq(cred
->uc_uid
, acred
->uid
) || !gid_eq(cred
->uc_gid
, acred
->gid
))
133 if (acred
->group_info
!= NULL
)
134 groups
= acred
->group_info
->ngroups
;
135 if (groups
> NFS_NGROUPS
)
136 groups
= NFS_NGROUPS
;
137 for (i
= 0; i
< groups
; i
++)
138 if (!gid_eq(cred
->uc_gids
[i
], acred
->group_info
->gid
[i
]))
140 if (groups
< NFS_NGROUPS
&& gid_valid(cred
->uc_gids
[groups
]))
146 * Marshal credentials.
147 * Maybe we should keep a cached credential for performance reasons.
150 unx_marshal(struct rpc_task
*task
, __be32
*p
)
152 struct rpc_clnt
*clnt
= task
->tk_client
;
153 struct unx_cred
*cred
= container_of(task
->tk_rqstp
->rq_cred
, struct unx_cred
, uc_base
);
157 *p
++ = htonl(RPC_AUTH_UNIX
);
159 *p
++ = htonl(jiffies
/HZ
);
162 * Copy the UTS nodename captured when the client was created.
164 p
= xdr_encode_array(p
, clnt
->cl_nodename
, clnt
->cl_nodelen
);
166 *p
++ = htonl((u32
) from_kuid(&init_user_ns
, cred
->uc_uid
));
167 *p
++ = htonl((u32
) from_kgid(&init_user_ns
, cred
->uc_gid
));
169 for (i
= 0; i
< 16 && gid_valid(cred
->uc_gids
[i
]); i
++)
170 *p
++ = htonl((u32
) from_kgid(&init_user_ns
, cred
->uc_gids
[i
]));
171 *hold
= htonl(p
- hold
- 1); /* gid array length */
172 *base
= htonl((p
- base
- 1) << 2); /* cred length */
174 *p
++ = htonl(RPC_AUTH_NULL
);
181 * Refresh credentials. This is a no-op for AUTH_UNIX
184 unx_refresh(struct rpc_task
*task
)
186 set_bit(RPCAUTH_CRED_UPTODATE
, &task
->tk_rqstp
->rq_cred
->cr_flags
);
191 unx_validate(struct rpc_task
*task
, __be32
*p
)
193 rpc_authflavor_t flavor
;
196 flavor
= ntohl(*p
++);
197 if (flavor
!= RPC_AUTH_NULL
&&
198 flavor
!= RPC_AUTH_UNIX
&&
199 flavor
!= RPC_AUTH_SHORT
) {
200 printk("RPC: bad verf flavor: %u\n", flavor
);
201 return ERR_PTR(-EIO
);
205 if (size
> RPC_MAX_AUTH_SIZE
) {
206 printk("RPC: giant verf size: %u\n", size
);
207 return ERR_PTR(-EIO
);
209 task
->tk_rqstp
->rq_cred
->cr_auth
->au_rslack
= (size
>> 2) + 2;
215 int __init
rpc_init_authunix(void)
217 return rpcauth_init_credcache(&unix_auth
);
220 void rpc_destroy_authunix(void)
222 rpcauth_destroy_credcache(&unix_auth
);
225 const struct rpc_authops authunix_ops
= {
226 .owner
= THIS_MODULE
,
227 .au_flavor
= RPC_AUTH_UNIX
,
229 .create
= unx_create
,
230 .destroy
= unx_destroy
,
231 .hash_cred
= unx_hash_cred
,
232 .lookup_cred
= unx_lookup_cred
,
233 .crcreate
= unx_create_cred
,
237 struct rpc_auth unix_auth
= {
238 .au_cslack
= UNX_CALLSLACK
,
239 .au_rslack
= NUL_REPLYSLACK
,
240 .au_flags
= RPCAUTH_AUTH_NO_CRKEY_TIMEOUT
,
241 .au_ops
= &authunix_ops
,
242 .au_flavor
= RPC_AUTH_UNIX
,
243 .au_count
= ATOMIC_INIT(0),
247 const struct rpc_credops unix_credops
= {
248 .cr_name
= "AUTH_UNIX",
249 .crdestroy
= unx_destroy_cred
,
250 .crbind
= rpcauth_generic_bind_cred
,
251 .crmatch
= unx_match
,
252 .crmarshal
= unx_marshal
,
253 .crrefresh
= unx_refresh
,
254 .crvalidate
= unx_validate
,